I'm currently using Docker 29 with experimental nftables support enabled and have stopped using iptables. Docker creates its own nftables chains separate from /etc/nftables.conf. From what I understand, a drop rule should effectively block packets across any chain. My goal is to secure my setup by blocking a specific port (3000:80) that's opened via Docker Compose. I've added a forward chain and implemented a rule to drop all traffic, but I still find that the port is accessible. What strategies can I use to configure nftables to effectively block opened ports? While I realize I could just close the port or limit access to 127.0.0.1:3000, my intention is to create a more secure firewall setup.
4 Answers
Could you share the specific nftables rules you've set up? Also, posting the output from `nft list ruleset` can be helpful. Are you testing access locally or from another network? Remember that Docker’s port mapping is DNAT, which means it happens early in the packet processing—your forward chain might need to block port 80 specifically to manage access.
Using ufw (Uncomplicated Firewall) on your host can simplify this process. Pair that with a perimeter firewall like OPNSense for added security. While nftables has its advantages, I wouldn't rely on it as my primary firewall approach.
To achieve security, it's best to have a default drop policy for all ports and only allow the necessary ones. If you open a port and immediately block it, you're likely to create conflicts. Stick to a strategy of not opening ports you don't need in your Docker Compose configuration.
[removed]
Thanks for the insight! I’ll check my rules and see what I can share on that front.